Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe
-
Size
512KB
-
MD5
6a6c05526988d51e3f0af53789f40c08
-
SHA1
ab8b60a0c858a9b1b774e4d3ec9daee87ebeea8f
-
SHA256
4095c60bdb857d90c6ab19dc0dd248c23bd0e179ada792f8d2d6b4316de45154
-
SHA512
ee4aa80c060ce7d943b3627d53cdae34907180b34e8b57af2920a69de4569db3876a972e7f93a6cf631e1fecd9cf744405e4594578a1fbe5e3802e3f447326c4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yiujeprxil.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yiujeprxil.exe -
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yiujeprxil.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yiujeprxil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
Processes:
yiujeprxil.exetsjkrcfnvwimfro.exeuxqzuhmd.execyupuftcmbsqh.exeuxqzuhmd.exepid process 4980 yiujeprxil.exe 2756 tsjkrcfnvwimfro.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 4276 uxqzuhmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yiujeprxil.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tsjkrcfnvwimfro.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kxhmlbxr = "yiujeprxil.exe" tsjkrcfnvwimfro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hkfgwdaz = "tsjkrcfnvwimfro.exe" tsjkrcfnvwimfro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cyupuftcmbsqh.exe" tsjkrcfnvwimfro.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
yiujeprxil.exeuxqzuhmd.exeuxqzuhmd.exedescription ioc process File opened (read-only) \??\o: yiujeprxil.exe File opened (read-only) \??\r: yiujeprxil.exe File opened (read-only) \??\b: uxqzuhmd.exe File opened (read-only) \??\a: uxqzuhmd.exe File opened (read-only) \??\r: uxqzuhmd.exe File opened (read-only) \??\h: yiujeprxil.exe File opened (read-only) \??\i: yiujeprxil.exe File opened (read-only) \??\y: uxqzuhmd.exe File opened (read-only) \??\n: uxqzuhmd.exe File opened (read-only) \??\o: uxqzuhmd.exe File opened (read-only) \??\q: uxqzuhmd.exe File opened (read-only) \??\m: yiujeprxil.exe File opened (read-only) \??\o: uxqzuhmd.exe File opened (read-only) \??\t: uxqzuhmd.exe File opened (read-only) \??\k: yiujeprxil.exe File opened (read-only) \??\l: yiujeprxil.exe File opened (read-only) \??\h: uxqzuhmd.exe File opened (read-only) \??\j: uxqzuhmd.exe File opened (read-only) \??\r: uxqzuhmd.exe File opened (read-only) \??\u: uxqzuhmd.exe File opened (read-only) \??\z: uxqzuhmd.exe File opened (read-only) \??\n: uxqzuhmd.exe File opened (read-only) \??\t: uxqzuhmd.exe File opened (read-only) \??\v: uxqzuhmd.exe File opened (read-only) \??\b: uxqzuhmd.exe File opened (read-only) \??\e: uxqzuhmd.exe File opened (read-only) \??\m: uxqzuhmd.exe File opened (read-only) \??\u: yiujeprxil.exe File opened (read-only) \??\x: yiujeprxil.exe File opened (read-only) \??\q: uxqzuhmd.exe File opened (read-only) \??\s: uxqzuhmd.exe File opened (read-only) \??\x: uxqzuhmd.exe File opened (read-only) \??\g: uxqzuhmd.exe File opened (read-only) \??\k: uxqzuhmd.exe File opened (read-only) \??\q: yiujeprxil.exe File opened (read-only) \??\h: uxqzuhmd.exe File opened (read-only) \??\p: uxqzuhmd.exe File opened (read-only) \??\b: yiujeprxil.exe File opened (read-only) \??\y: yiujeprxil.exe File opened (read-only) \??\g: uxqzuhmd.exe File opened (read-only) \??\i: uxqzuhmd.exe File opened (read-only) \??\k: uxqzuhmd.exe File opened (read-only) \??\l: uxqzuhmd.exe File opened (read-only) \??\x: uxqzuhmd.exe File opened (read-only) \??\p: yiujeprxil.exe File opened (read-only) \??\s: yiujeprxil.exe File opened (read-only) \??\e: uxqzuhmd.exe File opened (read-only) \??\s: uxqzuhmd.exe File opened (read-only) \??\w: uxqzuhmd.exe File opened (read-only) \??\i: uxqzuhmd.exe File opened (read-only) \??\g: yiujeprxil.exe File opened (read-only) \??\t: yiujeprxil.exe File opened (read-only) \??\a: uxqzuhmd.exe File opened (read-only) \??\m: uxqzuhmd.exe File opened (read-only) \??\z: uxqzuhmd.exe File opened (read-only) \??\j: yiujeprxil.exe File opened (read-only) \??\j: uxqzuhmd.exe File opened (read-only) \??\l: uxqzuhmd.exe File opened (read-only) \??\u: uxqzuhmd.exe File opened (read-only) \??\e: yiujeprxil.exe File opened (read-only) \??\n: yiujeprxil.exe File opened (read-only) \??\z: yiujeprxil.exe File opened (read-only) \??\v: yiujeprxil.exe File opened (read-only) \??\w: yiujeprxil.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
yiujeprxil.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yiujeprxil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yiujeprxil.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2004-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\tsjkrcfnvwimfro.exe autoit_exe C:\Windows\SysWOW64\yiujeprxil.exe autoit_exe C:\Windows\SysWOW64\uxqzuhmd.exe autoit_exe C:\Windows\SysWOW64\cyupuftcmbsqh.exe autoit_exe \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\WaitPop.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exeuxqzuhmd.exeuxqzuhmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\yiujeprxil.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File created C:\Windows\SysWOW64\tsjkrcfnvwimfro.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File created C:\Windows\SysWOW64\uxqzuhmd.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yiujeprxil.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uxqzuhmd.exe File created C:\Windows\SysWOW64\yiujeprxil.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tsjkrcfnvwimfro.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uxqzuhmd.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File created C:\Windows\SysWOW64\cyupuftcmbsqh.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cyupuftcmbsqh.exe 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uxqzuhmd.exe -
Drops file in Program Files directory 19 IoCs
Processes:
uxqzuhmd.exeuxqzuhmd.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uxqzuhmd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uxqzuhmd.exe File opened for modification C:\Program Files\DismountFormat.doc.exe uxqzuhmd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uxqzuhmd.exe File opened for modification \??\c:\Program Files\DismountFormat.doc.exe uxqzuhmd.exe File opened for modification C:\Program Files\DismountFormat.nal uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uxqzuhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uxqzuhmd.exe File created \??\c:\Program Files\DismountFormat.doc.exe uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uxqzuhmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uxqzuhmd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uxqzuhmd.exe -
Drops file in Windows directory 19 IoCs
Processes:
uxqzuhmd.exeuxqzuhmd.exe6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeWINWORD.EXEdescription ioc process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification C:\Windows\mydoc.rtf 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uxqzuhmd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uxqzuhmd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uxqzuhmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B05B44EF38E852CBBAA13298D7BB" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFC8E4F5C826A903DD7217E91BDEEE14459456644623FD79C" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67A15E4DAC7B9BA7CE0ED9F37BC" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yiujeprxil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yiujeprxil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yiujeprxil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yiujeprxil.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yiujeprxil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yiujeprxil.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368C4FE6C21ACD27CD0D38B0E9013" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yiujeprxil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yiujeprxil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yiujeprxil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C089D2C83556A4277D077242DD67D8764AC" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CEF967F192840B3B42869D39E6B38903884361034FE1C8459B08A5" 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yiujeprxil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yiujeprxil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yiujeprxil.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3892 WINWORD.EXE 3892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exetsjkrcfnvwimfro.exeuxqzuhmd.execyupuftcmbsqh.exeuxqzuhmd.exepid process 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 3360 cyupuftcmbsqh.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exetsjkrcfnvwimfro.exeuxqzuhmd.execyupuftcmbsqh.exeuxqzuhmd.exepid process 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exetsjkrcfnvwimfro.exeuxqzuhmd.execyupuftcmbsqh.exeuxqzuhmd.exepid process 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 4980 yiujeprxil.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 2756 tsjkrcfnvwimfro.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 1152 uxqzuhmd.exe 3360 cyupuftcmbsqh.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe 4276 uxqzuhmd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3892 WINWORD.EXE 3892 WINWORD.EXE 3892 WINWORD.EXE 3892 WINWORD.EXE 3892 WINWORD.EXE 3892 WINWORD.EXE 3892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exeyiujeprxil.exedescription pid process target process PID 2004 wrote to memory of 4980 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe yiujeprxil.exe PID 2004 wrote to memory of 4980 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe yiujeprxil.exe PID 2004 wrote to memory of 4980 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe yiujeprxil.exe PID 2004 wrote to memory of 2756 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe tsjkrcfnvwimfro.exe PID 2004 wrote to memory of 2756 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe tsjkrcfnvwimfro.exe PID 2004 wrote to memory of 2756 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe tsjkrcfnvwimfro.exe PID 2004 wrote to memory of 1152 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe uxqzuhmd.exe PID 2004 wrote to memory of 1152 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe uxqzuhmd.exe PID 2004 wrote to memory of 1152 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe uxqzuhmd.exe PID 2004 wrote to memory of 3360 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe cyupuftcmbsqh.exe PID 2004 wrote to memory of 3360 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe cyupuftcmbsqh.exe PID 2004 wrote to memory of 3360 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe cyupuftcmbsqh.exe PID 2004 wrote to memory of 3892 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe WINWORD.EXE PID 2004 wrote to memory of 3892 2004 6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe WINWORD.EXE PID 4980 wrote to memory of 4276 4980 yiujeprxil.exe uxqzuhmd.exe PID 4980 wrote to memory of 4276 4980 yiujeprxil.exe uxqzuhmd.exe PID 4980 wrote to memory of 4276 4980 yiujeprxil.exe uxqzuhmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a6c05526988d51e3f0af53789f40c08_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\yiujeprxil.exeyiujeprxil.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\uxqzuhmd.exeC:\Windows\system32\uxqzuhmd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276 -
C:\Windows\SysWOW64\tsjkrcfnvwimfro.exetsjkrcfnvwimfro.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756 -
C:\Windows\SysWOW64\uxqzuhmd.exeuxqzuhmd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152 -
C:\Windows\SysWOW64\cyupuftcmbsqh.execyupuftcmbsqh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3360 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3892
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD5f3093a4507a090a9827e3bf40e2e31bc
SHA17978bc2dc463c970dc1b8dcda5817ebbfe181f27
SHA25629eeb76dd2959c08962d0c702b5e508e45c8a643588665354335346c2ad07ae6
SHA5123042caec83762d90dc46b2d5733377654c42e8f98ce3dbdf0319929d26cd1da4de8906d35ada61428ed6e0d2848f8e06c0f2a6d3f79940cfe98aaa885b571b03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD51459a67e7603529e2bd4067a2a106783
SHA150364cbc787a8be7195e9f7847e1087a8426f3d7
SHA256c989778e2fd3711e7ec2d1578a84da327ba9ef65015084c9f4fcf3e4c9e1a9cc
SHA512b21324f7d9bbb59a64f178c735dd70496629ad0a08b2b5a6eee2346664104b03c13805102347cf5263f8b2e797f08fadaec01e231bc2db1f7716e1f7b257c373
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD55f7104907fbdb488624567e210db7cb3
SHA1dea597ff9397c4d0556971e238ce19f7ac1efaca
SHA2566fdd06c9b637af71b3ba91c0f527e3801e6a89d159a0ed262d9e048adbddb26a
SHA5125ba1e30c79ef7fad45622bde02d05ebbe49f74769839fa7ddd91980e2a39ff96913ee8880efe7c6322fa989d067d40f0a684a8d3c81f791773b58a3d35898c80
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5b924028cf174fa7035063356ac9c50ae
SHA10314d30a2a58710539ce5771c5cb43139175371c
SHA25692e4f5b9f74b0b14e12d1c8998daf9496bf2c9dde3cdd1415e30455fa3d13479
SHA512f7d99d57bf071f9f667e288c36c4aa3f87d788f8b8d3e17be4c0b20d180eed7601ebb56f5449f805be4707a2cd9c13b699965203adf83cef6db712ee188877ab
-
C:\Users\Admin\Documents\WaitPop.doc.exeFilesize
512KB
MD5b7f2dfe59a9b70e6696d9646081ebfa2
SHA1748a45b56c12bc52d3a287b542c37af352ff5ed6
SHA256180d7a8f66046e2233fe76ea97d4d27a892c5e1f90259aac3045882c58e8f93c
SHA512d977bc3213e2f2be0a248a512585a238f521e0296b9ff3cb3b5438921ee92a31c908fb0235acbd7f306cf79314825f1396460cfe3d2390c82d6599d4c309c315
-
C:\Windows\SysWOW64\cyupuftcmbsqh.exeFilesize
512KB
MD5fefe0fdd0d8a18b4a67d3bd382682161
SHA125ecc1e49efae112f069f5b4f2a5668ace6264b2
SHA256882eb06e5383cdf069ee4ce76bc8e0ba9af79895a3682fda702c947cc805c460
SHA51298676ddca054cc349e38b24541d5e3b68e1dfa1471e94947bee4730366686a2d128d28564af9dfd6d566dcdaffbae42b741aaf5d965b30be5947a113cee600f3
-
C:\Windows\SysWOW64\tsjkrcfnvwimfro.exeFilesize
512KB
MD5dc0e4d7366597dacac6be6f86b900482
SHA159fd876e9889047a2d196d7fe3af1fcf8976426f
SHA256fa3c02b9f016a6f2b4313e98109c04f4a9707cab61f6c83712971b972d12581a
SHA5124cbc6339e898593b7f424b0e42d5f24d324ea94f931cdb3bbc2afedd69ecad3e17e83a141df042dcf6f88d2b1fb5a193669cdcb0e6dd613123af937c806c60a0
-
C:\Windows\SysWOW64\uxqzuhmd.exeFilesize
512KB
MD5604091f9bfee5bf2db033ca3d67d05ec
SHA1240407bde34b02bbce70ad19ea2f05c77092384d
SHA256904ac39d0883f6a4bcf8326c2347ed5adc81a34806a9ebb6855879989c2efca9
SHA512bce3345d286d9d58773545637f013e91d2dd5a5a9f117c7bd8951afe371d068bc467adf20d8f8ad9780100bda33b887dc3f298d5ff89f21339c569159efdd7b9
-
C:\Windows\SysWOW64\yiujeprxil.exeFilesize
512KB
MD58cd7c2303089f00d8963ba17c3c34223
SHA1000749b8b0521e3eccdf9154789f9695bd3cf2f1
SHA256b0c8008f62d131f94f499baac02bb6c509950515442f9de751f2069fe96a5256
SHA512eb3e4f5766bcfc6797d14ef2574c56bb5e4dfaef0ed6e8f48558f2e444073f4ab3ab56c89c2dde16d01ffe19fbbabd9aab58ec08b69c516d2ad33e3053fc9a88
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD5ccc6329daee8890a96834dc41243deaf
SHA18a9fb0510e89a770875c51a033354af2490fc9e4
SHA256911fedd6c9bac090d0eb68df63fb6ed11cbd05535d3d76bdba2450200b75ff11
SHA512b6268e3247b63d7345b56b8e1ed2ecf8720a57b2fb4aede89f73ce79a163151a614d781b692f86da64a2400c6c06dfe2c365b28509fa0fb2c4fbc4c9da69aaeb
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD57b454d10d8b9497187dd4fb17dc146c8
SHA1bf67240ac6c85220bf317d96f99df866709eec5e
SHA25603df96b3a94524d6f91453d4407fa15bdbd0285868548d86cb8316135e4b619e
SHA512dc1196741b6671f87a089cac5d0bc8fdaca1b6eca9173c5e409fddf03877fc2a90b3444c424c0083c97569192c243bd828f5f2777d72c12a18584cd74d81fc64
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD522d347ba95e0b390ba082e0b6e06f55b
SHA140b4fea2f661c656e061368390da6feae926345e
SHA2560d00b61d0a0aec4735b498ac0b8b37aa7f6aef57020697ccb4357cb9ffce7ebe
SHA512f824e0fdd0a1d4b85d68c25e9103c69ebaf70affcffd9ca40967869ca9cfb6fb453d52d0ce9777046457757146ed315cb43dfd73129f0f10193807775e95295d
-
memory/2004-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3892-36-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-38-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-43-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmpFilesize
64KB
-
memory/3892-37-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-39-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-35-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-40-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmpFilesize
64KB
-
memory/3892-618-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-620-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-617-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/3892-619-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB